Release Date: 13/03/2022 | Issue: 128
CloudSecList is a weekly newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand curated by Marco Lancini.
🔥The week of vulnerabilities🔥
It was a challenging week for the cloud providers, as 7 out of 12 of this week's articles are about newly discovered vulnerabilities! 😣
While Azure was the one majorly hit, GCP and AWS had their stake of vulns. Maybe that's why Google decided to bolster GCP's capabilities by acquiring Mandiant?
Sponsor

Interested in beta testing a new Cloudflare security product?
Cloudflare is excited to share a new opportunity to try out one of our latest platform additions, Cloudflare CASB. This new product gives IT and security teams a ridiculously easy way to connect their SaaS apps - like Google Workspace and Microsoft 365 - and scan them for critical security issues and risks, like misconfigurations, insecure file sharing, and shadow IT.
Sound like something that could help at your organization? Please visit and submit our beta access form to get started!

This week's articles


CVE-2022-0847 (aka Dirty Pipe): What does it mean for defenders
#attack, #aws, #azure, #containers, #defend, #gcp
A quick summary and actionable advice for defenders of cloud environments and those teams who are asked to determine the impact of CVE-2022-0847 on their company's infrastructure.


AutoWarp Microsoft Azure Automation Vulnerability
#attack, #azure
AutoWarp is a critical vulnerability in Microsoft Azure Automation Service that allows unauthorized access to other customer accounts using the service.


Escalating from Logic App Contributor to Root Owner in Azure
#attack, #azure
Having Contributor access to an Azure Resource Manager (ARM) API Connection would allow you to create arbitrary role assignments as the connected user. This was supposed to be limited to actions at the Resource Group level, but an attacker could escape to the Subscription or Root level with a path traversal payload.


Abusing Family Refresh Tokens for Unauthorized Access and Persistence in Azure Active Directory
#attack, #azure
Undocumented functionality in Azure Active Directory allows a group of Microsoft OAuth client applications to obtain special "family refresh tokens", which can be redeemed for bearer tokens as any other client in the family.


Lateral Movement in Google Cloud: Abusing the Infamous Default Service Account Misconfiguration
#attack, #gcp
This post covers how a malicious actor can conduct lateral movement in Google Cloud across compute engine instances using the default service account.


Container Escape to Shadow Admin: GKE Autopilot Vulnerabilities
#attack, #gcp, #kubernetes
Users able to create a pod could have abused these to (1) escape their pod and compromise the underlying node, (2) escalate privileges and become full cluster administrators, and (3) covertly persist administrative access through backdoors that are completely invisible to cluster operators.


How to Automate the Provisioning of Narrowly-Scoped and Short-Lived Pull Secrets
#build, #kubernetes, #vault
Post showcasing an approach aimed at automating the provisioning of narrowly-scoped and short-lived pull secrets within Kubernetes environments thanks to HashiCorp Vault.


Triaging A Malicious Docker Container
#containers, #defend
How to triage a malicious image containing a piece of malware previously undetected in VirusTotal.


Escaping privileged containers for fun
#attack, #containers
A new technique to escape privileged containers.


Kubernetes Hardening Tutorial Part 3: Authentication, Authorization, Logging & Auditing
#defend, #kubernetes
Learn how to set up an AWS EKS cluster with Terraform and leverage best practices to configure roles, service accounts, logging, and auditing.


HCP Packer Is Now Generally Available
#announcement, #build, #ci/cd, #terraform
HCP Packer provides automation, collaboration, and security for managing images across multiple clouds. It includes image security and compliance workflows with Terraform Cloud.


Google Announces Intent to Acquire Mandiant
#announcement, #gcp
From the statement: "As a recognized leader in strategic security advisory and incident response services, Mandiant brings real-time and in-depth threat intelligence gained on the frontlines of cybersecurity with the largest organizations in the world."

Tools


netassert
Network security testing for DevSecOps workflows.


netshoot
A Docker + Kubernetes network trouble-shooting swiss-army container.


security-profiles-operator
The Kubernetes Security Profiles Operator.


pinniped
Pinniped is the easy, secure way to log in to your Kubernetes clusters.


postinvoke
A Go package that lets you run code after your Lambda function has returned its response. Potential use cases: flushing telemetry, audit logs, etc.

Sponsor

Did you know 75% of containers have critical vulnerabilities that are patchable? Get real-world practical insights from Sysdig's 2022 Cloud-Native Security and Usage Report to help as you work to develop best practices for securing and monitoring your cloud-native environments.
Access Now

From the cloud providers


AWS Icon  Analyze AWS WAF logs using Amazon OpenSearch Service anomaly detection built on Random Cut Forests
How to use the machine learning capabilities of Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) to detect and visualize anomalies in AWS WAF logs.


AWS Icon  How to configure an incoming email security gateway with Amazon WorkMail
How to integrate Amazon WorkMail with an email security gateway. Configuring WorkMail this way can provide a versatile defense strategy for inbound email threats.


AWS Icon  How to automate AWS account creation with SSO user assignment
How to automate creating multiple AWS accounts in AWS Control Tower, and how to automate assigning user access to the AWS accounts in AWS SSO, with the ability to repeat the process easily for subsequent batches of accounts.


GCP Icon  New resources to advance your Autonomic Security Operations modernization journey
The latest release of Autonomic Security Operations includes a variety of initiatives and investments, from the launch of a Public Sector solution, a Community Security Analytics repository, to a fully comprehensive technology stack.


GCP Icon  Protect your users' accounts with reCAPTCHA Enterprise's account defender
Account defender, available today in public preview, is a feature in reCAPTCHA Enterprise that analyzes the patterns of behavior for an individual account.


GCP Icon  Build your perfect Google Cloud infrastructure using Terraform and the gcloud CLI
Learn more about how declarative export allows you to export the current state of your infrastructure into a descriptive file compatible with Terraform.


Azure Icon  Microsoft DDoS protection response guide
Receiving Distributed Denial of Service (DDoS) attack threats? This guide provides an overview of what Microsoft provides at the platform level, information on recent mitigations, and best practices.


Azure Icon  Meet PCI compliance with credit card tokenization
Article presenting a solution for processing credit card payments makes use of confidential virtual machines (CVMs) running on AMD Secure Encrypted Virtualization (SEV) - Secure Nested Paging (SNP) technology.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you could forward it to them 📨

If you have questions, comments, or feedback, just reply to this email or let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser © 2019-present, CloudSecList by Marco Lancini.